base/utils/thresholds.zeek
- GLOBAL
Functions for using multiple thresholds with a counting tracker. For
example, you may want to generate a notice when something happens 10 times
and again when it happens 100 times but nothing in between. You can use
the check_threshold function to define your threshold points
and the TrackCount variable where you are keeping track of your
counter.
- Namespace
GLOBAL
Summary
Redefinable Options
The thresholds you would like to use as defaults with the
|
Types
Functions
This will check if a |
|
This will use the |
|
Detailed Interface
Redefinable Options
- default_notice_thresholds
-
The thresholds you would like to use as defaults with the
default_check_thresholdfunction.
Types
Functions
- check_threshold
- Type
function(v:vectorofcount, tracker:TrackCount) :bool
This will check if a
TrackCountvariable has crossed any thresholds in a given set.- Parameters
v – a vector holding counts that represent thresholds.
tracker – the record being used to track event counter and currently monitored threshold value.
- Returns
T if a threshold has been crossed, else F.
- default_check_threshold
- Type
function(tracker:TrackCount) :bool
This will use the
default_notice_thresholdsvariable to check aTrackCountvariable to see if it has crossed another threshold.
- new_track_count
- Type
function() :TrackCount